Authorizing users for IBM z/OS Connect by using role-based access control (RBAC)

How to authorize users for IBM® z/OS Connect in an OCI-compliant container platform by using role-based access control (RBAC).

Before you begin

zosConnect-3.0 Applies to zosConnect-3.0.

About this task

Note: This task is applicable to the Red Hat® OpenShift® only.

Before you install z/OS Connect API image, prepare your Red Hat OpenShift container platform environment by granting role-based access control (RBAC) authorization.

Authorization in Red Hat OpenShift container platform can be achieved through identity providers and groups. The identity provider defines how users can be created and grants access to the Red Hat OpenShift container platform cluster. These users can be assigned to groups in Red Hat OpenShift container platform and assigned roles to access specific resources.

For Application Developers to deploy z/OS Connect API images to Red Hat OpenShift container platform, you must configure the following RBAC (role-based access control). For more information about RBAC, see A launch icon to indicate a link opens a new tab or window. Using-RBAC.

User-level access is restricted in several ways. A simple and effective strategy is to separate users by Role.

cluster-admin - Admin users who need access to prepare and manage the cluster for deploying z/OS Connect APIs. For more information, see Creating a cluster admin in the Red Hat OpenShift container platform documentation.
zcon-user - Users who are bound to the zcon-user Group who need access to deploy and manage z/OS Connect APIs.

The following procedure demonstrates how an existing cluster-admin Role can create the zcon-user Role and the zcon-users Group in the Red Hat OpenShift Container Platform. A RoleBinding is added to the zcon-users Group that applies the zcon-user Role to the defined users of the group.

Procedure

Log in as cluster-admin to the Red Hat OpenShift container platform web console, and ensure that you are using the Administrator perspective by using the left navigation.

Create the zcon-user ClusterRole.

Click User Management > Roles in the left navigation.
Click Create Role in the upper right of the Roles page.

Copy the following yaml file into the Editor.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: zcon-user
rules:
  - verbs:
      - get
      - create
    apiGroups:
      - project.openshift.io
    resources:
      - projects
      - projectrequests
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
      - customresourcedefinitions/status
  - verbs:
      - get
      - list
    apiGroups:
      - route.openshift.io
    resources:
      - routes
  - verbs:
      - get
      - list
    apiGroups:
      - networking.k8s.io
    resources:
      - networkpolicies
      - routes
      - ingresses
  - verbs:
      - get
      - create
      - list
      - watch
      - update
      - delete
    apiGroups:
      - ''
    resources:
      - pods
      - pods/log
      - pods/exec
      - pods/status
      - events
      - namespaces
      - namespaces/status
      - secrets
      - configmaps
      - services
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - apps
    resources:
      - deployments
      - deployments/scale
      - replicasets
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - operators.coreos.com
    resources:
      - clusterserviceversions
      - catalogsources
      - installplans
      - subscriptions
      - operatorgroups
  - verbs:
      - create
      - delete
      - get
      - list
      - update
      - watch
    apiGroups:
      - zosconnect.zcon.ibm.com
    resources:
      - zosconnects
      - zosconnectconfigs

Click Create.
The Role > Role details page is opened for the zcon-user ClusterRole.

Create the zcon-users Group.
1. Click User Management > Groups in the left navigation.
2. Click Create Group in the upper right of the Groups page.
3. Copy the following yaml file into the Editor.
```
apiVersion: user.openshift.io/v1
kind: Group
metadata:
  name: zcon-users
users:
  - user1
  - user2
```
4. Replace user1 and user2 with your users.
5. Click Create.
6. The Group > Group details page is opened for the zcon-users Group.
Binding the zcon-user ClusterRole to the zcon-users Group with ClusterRoleBinding.
1. Go to the Group details page for the zcon-users Group.
  Figure 1. Create RoleBindings for zcon-users Group
2. Click the RoleBindings tab.
3. Click the Create binding that opens the Create RoleBinding form.
4. Complete the form as follows:
  1. Select Cluster-wide role binding(ClusterRoleBinding) for BindingType.
  2. Enter zcon-user-clusterrolebinding Name for RoleBinding.
  3. Select zcon-user Role name for Role.
5. Click Create.
6. The RoleBindings > ClusterRoleBinding details page is opened for the zcon-user-clusterrolebinding ClusterRoleBinding.

Results

The zcon-user Role and zcon-users Group are added to the Red Hat OpenShift container platform. The zcon-user Role is applied to all users in the zcon-users Group.

Users are added and removed from the Group by cluster-admin.

The Red Hat OpenShift container platform cluster is configured with Role Based Access-Control (RBAC) ready for the deployment of z/OS Connect APIs.